China’s Personal Information Protection Law: An Attempt to Create Orwellian State


The article titled “China’s Personal Information Protection Law: an attempt to create an Orwellian State” deals with the provisions enshrined in the new protection law proposed by China. The article shows how the law has given unrestricted powers to the State organs to process the data of the individuals. The next part of the article depicts how the government through its various agencies can control the working of the private personal information handlers. The article also deals with the cross-border transfer of personal data as proposed in the law. Throughout the article, it is shown how the law gives unfettered power to the government agencies, thereby undermining the privacy and freedom of the people of China.


With the tremendous growth in technology and the growing importance of data in the world, governments globally are coming up with data protection laws to safeguard the right to privacy of the people. Recently, China introduced its new Data Protection Law. The Chinese government is taking the alibi of protection of privacy, to strengthen its grip over the tech companies and the people of China.

Article 3 of the Data Protection law provides the jurisdiction of the authorities that come under the purview of the law. The article states that the law applies to the handling of personal data outside the country as per the “other circumstances provided in laws or administrative regulations.” It clearly shows that the Chinese government aims to strengthen its control over foreign companies by introducing new regulations.

Article 13 of the Data Protection law, gives the authority to the personal data handlers to process the personal information of an individual without obtaining the consent of an individual on the grounds of fulfilling the statutory obligations, processing the information within reasonable scope to implement “news reporting, public opinion supervision, and other such activities for public interest” and to comply with other circumstances provided under laws and regulations. The article gives unrestricted power to the government authorities to get access to the data of an individual without their consent. The incorporation of the words “public opinion supervision” indicates that the government is going to suppress the fundamental right of freedom of speech and expression.

According to Article 17, it shall be the duty of the personal data handler to provide information to the individual whose data is being processed about the name and contact of the handler. On the other hand, Article 18 provides that the personal data handler shall not disclose the information prescribed under Article 17, “where the laws or administrative regulations provide that confidentiality shall be preserved and notification is not necessary.” Article 30 also gives the power to the government to direct the data handler not to disclose the processing of the sensitive data. It makes it crystal clear that the government retains the power to direct the data handler to not comply with the rights of an individual. It is a blatant disregard to the autonomy and the right to information of an individual. By restraining the handler not to disclose the processing, it creates a fear in the minds of the individuals of being under continuous surveillance.

Article 26 gives legal protection to the installation of the image collection or personal identity recognition equipment in public venues. The article stipulates that the information gathered can be used only for “public security purposes.” The definition and scope of the word “public security” are vague and arbitrary. There is a massive possibility that the information can be used to suppress the legitimate political freedom of the people of China.

Article 34 provides the blanket power to the state’s organ to process the personal data of the individual without disclosure to the individual. The article mandates that where the disclosure of the information “impedes state organs’ fulfillment of their statutory duties and responsibilities”, the organ must not provide the notification to the individual. Since maintenance of the public interest is a statutory duty, the government can use this duty as an excuse to keep a check on the activities of the individual, thereby cracking down on political dissent.

Article 38 deals with the cross-border transfer of the data. It provides that before transferring the data to a foreign country, the data handlers must ensure that the “security assessment test organised by the State Cybersecurity and Informatisation Department” must be passed. Further, Article 41 states that without the approval of the competent authorities of China, the personal information handlers “may not provide the information stored in mainland China” to foreign judicial authorities and law enforcement agencies. Article 43 gives the power to the Chinese government to impose “reciprocal measures” against the discriminatory measures or rules imposed by the foreign country. Thus, it is clear that the government has the sole power in regulating the cross-border transfer of personal data. The provision of mandating the personal information handlers to seek the permission of the authorities to transfer data, even to law enforcement agencies, could act as a significant bulwark in enforcing law and order in foreign countries. There is a great possibility that criminals might use this provision as a shield to commit crimes in other countries. The meaning of the word “reciprocal measures” is nowhere defined. Considering the growing tension between the US and China, this provision of reciprocal measures will be used to further thwart the flow of information.

The law also imposes many restrictions on the freedom of the tech companies to process the personal data of the people of China. Article 52 provides that the personal data handlers on reaching the “quantities provided by the State cybersecurity and informatization department shall appoint personal information protection officers” who are responsible for the handling of the personal information of the individual. It shall be the responsibility of personal information handlers to disclose the method to contact and the name of these officers. By virtue of Article 54, it shall be the responsibility of personal data handlers to regularly engage in the audits of the personal information handlings and ensure that they comply with the laws and administrative compliance. Article 55 casts an obligation on the personal information handlers to preserve the personal information which impacts assessment reports and handling status records for at least three years. There is a possibility that this obligation of preserving the records will be misused by the government agencies in targeting these personal data handlers.

Article 58 of the protection law imposes some extra responsibilities on the personal data handlers that have large numbers of users and provide important internet platforms, shall have to establish and complete “personal information compliance system and structures” as per the regulations issued by the government and shall have to establish an “independent body composed mainly of outside members” and the task of the body is to supervise personal information protection circumstances. Moreover, the article mandates that the handlers will have to accept the “society’s supervision.” The meaning of the word “society’s supervision” indicates the acceptance of the government’s supervision. The government can use its supervision over internet platforms to gag freedom of speech and expression. It can also ask the handlers to provide data of a person to set up the virtual profile of the person to suppress political opposition. Thus, it can be concluded that the law erases the independence of the personal information handlers and compels the handlers to work as the agent of the State.

The law gives tremendous powers to the State Cybersecurity and Informatization Department and the relevant State Council departments to supervise the personal information handlers. They shall be responsible for conducting the personal information protection propaganda and education and to guide the handlers’ conduct on the handling of the personal information. They have the power to conduct on-site inspections and investigations of the suspected unlawful personal information activities. The law imposes the obligation on the concerned information handler to assist the departments. The law also mandates that wherever the departments find that the unlawful processing of the data constitutes a crime, they shall report the matter to the public security authorities.

Furthermore, Article 69 of the law imposes the presumption of guilt on the personal information handler. The article states whenever there will be an infringement of the right of the individual, or there is some harm, and the handler fails to “prove that they are not at fault, they shall bear compensation and take the responsibility of such infringements.” This imposition of culpability on the handlers is the direct violation of Article 11 of the Universal Declaration of Human Rights that states the “right to presumption of innocence” until proven guilty. Thus, it is clear that the authorities have sufficient power to punish the personal information handlers for not adhering to their directions.

Hence, upon analysing the provisions of the data protection law, it is clear that in the name of protecting the privacy of its citizens, the Chinese government is trying its best to create an Orwellian State where the government monitors the day-to-day activities of its people to control its people and to suppress legitimate political dissent.

54 views0 comments

Recent Posts

See All